explorer.exe rundll32

[HelpIsNeeded]

Please, can you review these screenshots and tell me if it's a good idea to have those blocked. And do you have recommended files to add to that list?
https://ufile.io/m9aon98l

[Curson]

Hi HelpIsNeeded,

I meant that live access to the system is usually needed by an expert to detect exactly what is doing the injection.
Sorry for the misunderstanding.

Blocking applications can have unintented consequences. I would be very careful with that.

Regards.

[HelpIsNeeded]

Hi again. I downloaded EICAR test file and did as they said but my antivirus dont find it as a malware! so it seems my antivirus dont work as it should, im afraid someone has managed to do this to remain undetected. I mean why does it not find it as a virus, it just scans and say everything is ok. it should say something is wrong because its a test file not a real threat but it should still make it go "Alert!" but it does not hence why something is wrong. I did as they said and right-clicked the file and chose norton to scan it but it came out ok no detection. Please see my screenshot and see if i did it the right way.

https://imgur.com/a/zQ0vlDd

https://kcm.trellix.com/corporate/index?page=content&id=KB59742

[Curson]

Hi HelpIsNeeded,

It seems some AV engines does not detect it anymore.

The developers of one anti-virus software, Malwarebytes, have said that they did not add the EICAR test file to their database, because "adding fake malware and test files like EICAR to the database takes time away from malware research, and proves nothing in the long run"

Regards.

[HelpIsNeeded]

Hi HelpIsNeeded,

It seems most AV engines does not detect it anymore.

Please see the results of VirusTotal :
https://www.virustotal.com/gui/file/a29fbf9bbef6c3bbb204dd7bb9f5a6619529a6fb6371985a73242092133de227/detection

So, no wonder Norton and MalwareBytes didn't detect it.

Regards.

Ok thanks. I saw this article https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ (not directly related but i have something to say)

And in this screenshot i point out that its a file internet shortcut, and thats exactly what i had in my pc for no reason at all, it was also a internet shortcut .ink that had your website name and EICAR in its name, now i cant find that file, but have it saved in my usb just in case needed as proof. i dont remember if i deleted it. I found it via searching the pc for EICAR when we spoke in the beginning.

https://imgur.com/a/KeFmzDG

is it a internet shortcut or is it "INFO ON .INK FILES

The INK file type is primarily associated with 'Tablet PC' " that can be seen in my screenshot?

https://imgur.com/a/m9Ozcn8

https://imgur.com/a/SHxva69

[Curson]

Hi HelpIsNeeded,

Shortcuts (LNK files) are not malicious.
Can you please update and do a complete system scan with RogueKiller ? We made some adjustements to the engine.

Regards.

[HelpIsNeeded]

Hi HelpIsNeeded,

Shortcuts (LNK files) are not malicious.
Can you please update and do a complete system scan with RogueKiller ? We made some adjustements to the engine.

Regards.

Oh! That's why I don't get librewolf or explorer to be flagged anymore, been scanning over and over for hours on end. I guess i can stop that now, lmao. Thanks for your help

[Curson]

Hi HelpIsNeeded,

You are welcome.
Thanks for your feedback.

Regards.

[HelpIsNeeded]

Hi again. Just a question. You said it was not a false positive, did you change RogueKiller so that it flagged what was found from my part as false positive? Regards

[Curson]

Hi HelpIsNeeded,

It is a little more complicated than that.
Explorer.exe is the file explorer of Windows NT-based system and part of the Windows GUI (desktop, Start Menu, Taskbar), the Windows Shell.

There is a caching mechanism implemented in explorer.exe to display already viewed files faster (you can test this with large images). There is no source code available, so it's speculation at this point but, after asking some colleagues, we came to the conclusion that there is a file on your computer that contains the EICAR test string and that its content is cached in explorer.exe memory, hence triggering the detection.

In conclusion, the EICAR test is really present, but it's not the result of an injection, but some caching mechanisms.
We refined RogueKiller engine to detect that difference. That's why the detection is now gone.

Regards.

[HelpIsNeeded]

Hi HelpIsNeeded,

It is a little more complicated than that.
Explorer.exe is the file explorer of Windows NT-based system and part of the Windows GUI (desktop, Start Menu, Taskbar), the Windows Shell.

There is a caching mechanism implemented in explorer.exe to display already viewed files faster (you can test this with large images). There is no source code available, so it's speculation at this point but, after asking some colleagues, we came to the conclusion that there is a file on your computer that contains the EICAR test string and that its content is cached in explorer.exe memory, hence triggering the detection.

In conclusion, the EICAR test is really present, but it's not the result of an injection, but some caching mechanisms.
We refined RogueKiller engine to detect that difference. That's why the detection is now gone.

Regards.

"content is cached in explorer.exe memory"
Is that of any concern? Regards

[Curson]

Hi HelpIsNeeded,

No, it's no concern at all.
Like I said the EICAR string is completely harmless.

Regards.